feat(sso-mfa): T05 SSO stack pivot — Keycloak → Authelia + LLDAP + KeyCape (NK-WP-0001-T05)

Replaces the Keycloak+privacyIDEA SSO tier with the lightweight stack built
during KEY-WP-0001: Authelia (password frontend), LLDAP (directory), and
KeyCape (OIDC orchestration). privacyIDEA is retained as the MFA engine.

Stack:
  kc.coulomb.social   — KeyCape OIDC server (stateless, custom Go)
  auth.coulomb.social — Authelia login portal (password auth → Authelia OIDC → KeyCape)
  lldap.coulomb.social — LLDAP admin UI (IP-restricted)
  pink.coulomb.social — privacyIDEA MFA engine (unchanged)

Changes:
- Remove sso-mfa/k8s/keycloak/ (7 files)
- Add sso-mfa/k8s/lldap/ (pvc, deployment, middleware, ingress, create-secrets, README)
- Add sso-mfa/k8s/authelia/ (pvc, configmap, deployment, ingress, create-secrets, README)
- Add sso-mfa/k8s/keycape/ (deployment, middleware, ingress, create-secrets, create-pi-token, README)
- Update network-policies/netpol-sso.yaml for new component topology
- Update verify-t05.sh: checks LLDAP + Authelia + KeyCape (23 checks)
- Update CONFIG.md: fix CP-NK-004 (KeyCape), add CP-NK-005 (Authelia), CP-NK-006 (LLDAP)
- Update bootstrap/gen-secrets.sh: add LLDAP/Authelia/KeyCape sections, remove Keycloak
- Update k8s/README.md: network policy table reflects new traffic paths
- Add sso-mfa/WORKPLAN.md: resumable task checklist

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-03-19 08:31:51 +00:00
parent d0ed7d9cd6
commit 0754dc32e6
31 changed files with 2098 additions and 1077 deletions

View File

@@ -0,0 +1,147 @@
# Deployment + Service — Authelia (namespace: sso)
#
# Authelia is the authentication frontend: it handles username/password entry
# and redirects back to KeyCape with an authorization code. KeyCape then
# invokes the privacyIDEA adapter to perform the MFA step.
#
# Prerequisites (apply in order):
# 1. pvc.yaml — authelia-data PVC
# 2. configmap.yaml — authelia-config ConfigMap
# 3. create-secrets.sh — authelia-secrets (JWT, session, storage, LDAP, OIDC keys)
# 4. This file
# 5. ingress.yaml
#
# Sensitive values are passed as *_FILE env vars pointing to Secret-mounted files.
# See configmap.yaml for the full list of injected secrets.
apiVersion: apps/v1
kind: Deployment
metadata:
name: authelia
namespace: sso
labels:
app.kubernetes.io/name: authelia
app.kubernetes.io/part-of: net-kingdom-sso-mfa
net-kingdom/component: sso
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: authelia
strategy:
type: Recreate # single replica; SQLite cannot be accessed concurrently
template:
metadata:
labels:
app.kubernetes.io/name: authelia
app.kubernetes.io/part-of: net-kingdom-sso-mfa
net-kingdom/component: sso
spec:
securityContext:
runAsNonRoot: true
runAsUser: 8000 # authelia default user
fsGroup: 8000
containers:
- name: authelia
# Pin to a specific 4.x release. Check https://hub.docker.com/r/authelia/authelia
image: authelia/authelia:4.38
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 9091
protocol: TCP
# ── Secret file paths — Authelia reads *_FILE env vars ──────────
env:
- name: AUTHELIA_JWT_SECRET_FILE
value: /run/secrets/authelia/jwt_secret
- name: AUTHELIA_SESSION_SECRET_FILE
value: /run/secrets/authelia/session_secret
- name: AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
value: /run/secrets/authelia/storage_encryption_key
- name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
value: /run/secrets/authelia/ldap_password
- name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE
value: /run/secrets/authelia/oidc_hmac_secret
- name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE
value: /run/secrets/authelia/oidc_issuer_private_key
- name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_CLIENTS_0_SECRET_FILE
value: /run/secrets/authelia/keycape_client_secret_hash
volumeMounts:
# Config from ConfigMap
- name: config
mountPath: /config/configuration.yml
subPath: configuration.yml
readOnly: true
# Secrets as files
- name: secrets
mountPath: /run/secrets/authelia
readOnly: true
# Writable data (SQLite DB + notification log)
- name: data
mountPath: /var/authelia/data
startupProbe:
httpGet:
path: /api/health
port: 9091
initialDelaySeconds: 5
periodSeconds: 5
failureThreshold: 18 # 18 × 5s = 90s for initial LDAP connection
livenessProbe:
httpGet:
path: /api/health
port: 9091
initialDelaySeconds: 0
periodSeconds: 15
failureThreshold: 3
readinessProbe:
httpGet:
path: /api/health
port: 9091
initialDelaySeconds: 0
periodSeconds: 10
failureThreshold: 3
resources:
requests:
cpu: "50m"
memory: "128Mi"
limits:
cpu: "500m"
memory: "256Mi"
volumes:
- name: config
configMap:
name: authelia-config
- name: secrets
secret:
secretName: authelia-secrets
- name: data
persistentVolumeClaim:
claimName: authelia-data
---
# Service — ClusterIP; Traefik and KeyCape reach Authelia via port 9091.
apiVersion: v1
kind: Service
metadata:
name: authelia
namespace: sso
labels:
app.kubernetes.io/name: authelia
app.kubernetes.io/part-of: net-kingdom-sso-mfa
net-kingdom/component: sso
spec:
type: ClusterIP
selector:
app.kubernetes.io/name: authelia
ports:
- name: http
port: 9091
targetPort: 9091
protocol: TCP